This:
[X509CertificateAuthScheme:301]
StringTokenizer st = new StringTokenizer(s, ",");
Isn't sufficient, because DNs may contain "-escaped strings. Such as:
OU="VeriSign, Inc.", OU=ECA, O=U.S. Government, C=US
So, the split /,/ actually breaks the first OU.
Codebase is 1.8.0